Product Documentation

Configuring Encryption Policies for Android Apps

Jun 26, 2013

App Controller supports the following encryption features for Android devices and apps:

  • Private or public data to be encrypted through the use of a security group
  • The ability to prevent data sharing by using an application key to encrypt files
  • The ability to prevent applications from being made public by using access limits for public files that defines what the app can do with storage, such as Read Only or Read Write access.
  • No encryption

Before you configure encryption policies for apps that run on Android devices, you need to understand how file storage and encryption work on Android devices.

Storing Files on Android Devices

On Android devices, files may be read or written in the following locations:

  • Internal storage
  • External storage
  • Vendor-specific external storage

How Internal Storage Works

Internal storage is a private sandbox for a specific application. The storage path is /data/data/appname, where appname is the name of the application. Directory permissions can prevent other applications from accessing the files in the specified path.

How External Storage works

External storage is a partition that is shared by all applications. On Android devices, external storage can use internal memory. Older devices might use an SD card for external storage.

External storage is often located at /mnt/sdcard. Within that directory, there are subdirectories. These include:

  • Android/data/appname that is a private sandbox, similar to what exists for internal storage.
  • Alarms, DCIM, Download, Movies, Music, Notifications, Pictures, Playlists, and Podcasts that are well known directories for specific types of content.
  • Anything else that is available to the application. The application can access files in the root external storage directory or any subdirectory. The application can also create new subdirectories.

How Vendor-Specific External Storage Works

Android devices might support external storage devices, such as memory cards. When users insert the memory card into the device, the path is defined by the device manufacturer. For example, on the Samsung Galaxy Tab 2, the path is /mnt/extSdCard. The Android operating system does not manage this storage.

Configuring File Application Policies

You can use application policies to control transparent file encryption. The policies apply to public and private files and other areas on Android devices.

  • Private files. A vault that contains internal storage and the sandbox area for external storage.
  • Public files. A vault that contains standard external storage and any vendor-specific external storage.
  • Other. A category that you can use for key management and access limit policies.

Encryption uses the concept of inclusion prefixes and exclusion filters. Inclusion prefixes are used to indicate whether a file is in a particular vault. Each vault has a list of inclusion prefixes. Exclusion filters are POSIX extended regular expressions which then cause particular files or directories to be omitted from a vault. When determining if a path is in a vault, the path must first begin with a prefix associated with the vault. If the prefix exists, the path must also NOT match any of the exclusion filters. If both conditions pass, the path is considered to be part of the vault.

Some applications use unsupported access modes like memory mapping. Others may try to use encrypted files before the encryption key is available. If application issues are encountered, the logcat log may be used to search for error messages on the ctxtfe component. This may lead to possible paths/files that should be excluded.

The following are examples of inclusion prefixes, exclusion filters, and paths:

Inclusion Prefixes

  • /data/data/com.foo
  • /mnt/sdcard/Android/data/com.foo

Exclusion Filters

  • ^app_dx/
  • \.jpg$

Paths

If a vault is defined by the above inclusion prefixes and exclusion filters, the following example paths may or may not appear in the vault:

  • data/data/com.foo/files/myfile.doc

    Located in the vault.

  • /data/data/com.bar/files/myfile.doc

    Not in the vault because there are no inclusion prefixes that match.

  • /data/data/com.foo/app_dx/generated23423.jar

    Does not reside in the vault because of the ^app_dx/ exclusion. The prefix is removed from the path, leaving the path app_dx/generated23423.jar. The exclusion entry that contains the caret (^) symbol means that the match must occur at the beginning of the string. The next characters "app_dx/" must match exactly. The remainder of the path can be anything. You can use this pattern to exclude everything under a specified directory name.

  • /mnt/sdcard/Android/data/com.foo/files/mypic.jpg

    Does not reside in the vault because of the \.jpg$ exclusion. The "\." indicates a match with a dot. The backslash is necessary because the dot is a special regular expression character. The "jpg" extension is a literal match. The "$" means match at the end of the line. This matches any path that ends in ".jpg".

When you configure encryption in App Controller for Android devices, users are permitted offline access only which allows secrets used to derive encryption keys to be persisted on the device.

Note: If you select Offline access permitted, Citrix recommends that you set the authentication policy to Offline challenge only in order to protect access to the keys and the associated encrypted content.

For a complete list of the policies that you can configure for Android devices, including the encryption policies, see Configure MDX Policies for Android Apps in App Controller, in this section.

Configuring Private and Public File Encryption

You can configure two types of encryption that can be applied to either the private or public files. You can select the key type to balance between higher security and the ability to share data. You can use both key types with apps wrapped with the MDX Toolkit and apps that are not wrapped with the toolkit. The two keys are:

  • Security Group Key that encrypt public files by using a key available to all MDX apps in the same security group. Using the security group key allows sharing of data between applications. However, the level of security is lower.
  • Application Key that encrypt public files by using a key only available to the specific MDX app. The application key offers the highest security. If you use the application key, it prevents data from being accessed by other MDX apps. For example, if users in the health industry have radiology files that cannot be compromised, when you upload the app to App Controller, the files are encrypted and cannot be shared.

You can also configure access limits for public files to block data from being moved to less secure locations, such as removable storage. Access limits are independent of encryption.